This is an archived, read-only copy of the United-TI subforum , including posts and topic from May 2003 to April 2012. If you would like to discuss any of the topics in this forum, you can visit Cemetech's Technology & Calculator Open Topic subforum. Some of these topics may also be directly-linked to active Cemetech topics. If you are a Cemetech member with a linked United-TI account, you can link United-TI topics here with your current Cemetech topics.

So as we've all seen, TI's latest addition to it's line of calculators, is the most amazing nSpire. One problem though, TI does not wish to allow third party applications at the time, nor do they show evidence of that they will ever plan to do so either.

So here's what must be done: In order to support Assembly, we will most likely have to construct our own OS for this beast. My only idea of achieving this would be to use the same file header that the current OS's use.

As you all have probably noticed, I'm not an expert at hacking, but I may be able to help with the general idea support and Assembly coded, nonetheless.

So my question to all:

Is there anyone willing to partake in this, and is there anyone with any type of knowledge that might be able to help? :D

TI is gonna get raped. Again. 0x5

Last edited by Guest on 18 Nov 2009 04:39:41 pm; edited 1 time in total

An OS replacement is way out of line right now...the goal is just to execute any ARM assembly at all, and come up with a viable hack and system of releasing programs that will continue to work even after they fix whatever exploit we release.

They are dead-set against us doing this, so anything we exploit, they will fix. Take a look at the PSP, there have been many exploits of varying natures, but once you can get unsigned code running on it, you can start running standard applications people have made.

We know next to nothing about Nspire hardware, and that's what has to change first.

The Nspire OS is encrypted and transferred to the calculator encrypted, where it is decrypted, validated, and then written (in that order). You will not be able to install an OS of your own without an exploit, just like with the other calculators.

So...it IS being worked on. Because of how much TI wants to shut this down, details are going to be hard to find publicly, especially on running code.

Last edited by Guest on 08 Sep 2008 07:33:48 am; edited 1 time in total

The problem with TI is that they are wanting to keep their calculators strictly for mathematics, and problem solving. They are upset because many teachers look down upon fancy calculators because of all the games that students play on them during class.

99% of the people that I see with a calculator are either playing a game or coding on it. the other 1% of the people, like myself and the community who enjoy programming for experience, and homework, and on occasion, games, are left out in the cold to suffer. So until we figure out a way, we're screwed.

And the reason I posted this here, and not on the wiki is because we are the largest calc community, and I can't imagine how many programmers (who are not necessarily interested in calculators) visit this site every day.

I suppose that you don't have to know anything about hacking, just programming. You gotta be able to find a hole or an error in the coding and be able to exploit it. :P

I'm actually trying to rally people up to be able to do this. Something just needs to be done about it. The greatest calculator in history (well, not technically ) is released, and we can't even use it how we want. > That's very upsetting!

I've tried a little bit of research on how the 83 and 84 were hacked, but with no avail. Does anyone happen to know exactly how this was done? Was it done through the I/O port, or was there a BASIC program that manipulated the PC (program counter)?

I mean come on, though. People are able to hack through something crazy like an Xbox, yet we haven't been able to poke through a calculator?? 0x5. (I just really, really, want to be able to make games and to experiment on the nSpire. )

I suppose that you don't have to know anything about hacking, just programming. You gotta be able to find a hole or an error in the coding and be able to exploit it. :P

I'm actually trying to rally people up to be able to do this. Something just needs to be done about it. The greatest calculator in history (well, not technically ) is released, and we can't even use it how we want. > That's very upsetting!

I've tried a little bit of research on how the 83 and 84 were hacked, but with no avail. Does anyone happen to know exactly how this was done? Was it done through the I/O port, or was there a BASIC program that manipulated the PC (program counter)?

I mean come on, though. People are able to hack through something crazy like an Xbox, yet we haven't been able to poke through a calculator?? 0x5. (I just really, really, want to be able to make games and to experiment on the nSpire. )
[post="126682"][/post]

I share your enthusiasm, really, but it's going to take a lot more than just looking at code. As I said, the OS is encrypted and you can't disassemble it. The only way you're going to find any code is to desolder the memory chips and dump it yourself, and believe me, that is much, much harder than it might sound.

I don't mean to sound like a jerk, but a lot of the effort going into this is behind the scenes and is not ready to be publicized, one because it's in its infant stages, and two because TI IS watching, like I said.

The first calculator to run assembly was the TI-85, and it was done through a hacked backup. At the time, you could transfer backups of RAM from one calculator to another through the I/O port. A .85b file (85 backup file) on the PC was analyzed and it was found that the custom menu entries on the 85 contain pointers to functions in the OS, and that by selecting a menu item, you were really jumping to a location in memory. This allows you to manipulate that pointer and send it back to the 85, and jump anywhere in RAM. By placing more code elsewhere in RAM, you can start working on dumping the OS to picture variables in pieces. And from there, you have a dump you can analyze and learn more. And that's the basis of ZShell and all the other 85 shells.

The 82 had a hacked backup method as well, but without a custom menu, it was done another way (by manipulating the VAT entries for REAL variables...by storing from one to another, you could overwrite arbitrary points in RAM, the most important being the context vectors. By overwriting cxMain with the address you want to jump to, and pressing another key, the OS will call your code directly. This is why you have to press enter twice on 82 shells).

The 83 had limited built-in assembly support through the use of Send(9, which was placed there by TI to see what we would do with it.

The 83+ and 84+ series have built-in assembly support.

Last edited by Guest on 08 Sep 2008 02:49:28 pm; edited 1 time in total

I know it might sound crazily hard to do, but what would we be able to do with the computer software that they released? I have the teacher edition for both the regular and CAS edition. Would it be possible to track what instructions were being sent, therefore we wouldn't have to do any decrypting? I'm not quite sure how they created the computer emulator (I still have the CD's in the package ).

Does anybody need a copy of these, or would these even be able to help whatsoever?

I know it might sound crazily hard to do, but what would we be able to do with the computer software that they released? I have the teacher edition for both the regular and CAS edition. Would it be possible to track what instructions were being sent, therefore we wouldn't have to do any decrypting? I'm not quite sure how they created the computer emulator (I still have the CD's in the package ).

Does anybody need a copy of these, or would these even be able to help whatsoever?

:P This is really upsetting that we can't program this monster :/
[post="126685"][/post]

You can do nothing with the software except document the link protocol, which has already been done on the wiki.

As far as the "emulator" software, I highly doubt it's accurately emulating the real hardware, or even the boot code or OS.

Everything is sent to the calculator and then it is decrypted from there. That's the black box you can't get into.

I know almost nothing about the Nspire, but... I wouldn't be so quick to write off the emulator. It may not be emulating the ARM CPU, but I expect it is running more-or-less the same software (which is presumably written in C or C++.) So if there are any vulnerabilities in the built-in apps, to corrupted data files or whatever, you might very well be able to find them in the emulator.

(That's not to say that the same exploits would work, merely that you could potentially find vulnerable areas of the code.)

Last edited by Guest on 09 Sep 2008 09:01:12 am; edited 1 time in total

No, that's not practical. We can't even factor the 83+ series public key.
[post="126729"][/post]

Well, back in the day, a few years ago when 83+ hacking was at its peak, I would have been inclined to agree with you. Nowadays? Factoring a 512-bit number is certainly within the realm of possibility, if we could get a decent-sized group of people to donate their spare CPU cycles for a few months.

Do you guys have any idea what encryption scheme is used on the Nspire? I would guess it's considerably stronger. Still, I'm sure somebody will find a way in, sooner or later

I don't know if I can wait that long I've been emailing TI like crazy, and it's been taking them over 5 days to respond to my emails! I wonder if they've been taking my emails to higher authority or something, because of the questions about the nSpire?

(They haven't been able to tell me a thing, because they've already "released as much information as they chose to, to the public )

I don't know if I can wait that long I've been emailing TI like crazy, and it's been taking them over 5 days to respond to my emails! I wonder if they've been taking my emails to higher authority or something, because of the questions about the nSpire?

(They haven't been able to tell me a thing, because they've already "released as much information as they chose to, to the public )
[post="126743"][/post]

They will tell you nothing about the Nspire...you're wasting your time with them, they have no motivation whatsoever to help you break what they've spent months and months trying to set up.

The 84+SE emulator of course can run current Flash applications and do everything a real one does (except writing to OS space, which can still be done through exploits). The emulator has been looked at as a method of attack and we found nothing, other than writing to OS space and "setting" bits in Flash.

Well, back in the day, a few years ago when 83+ hacking was at its peak, I would have been inclined to agree with you. Nowadays? Factoring a 512-bit number is certainly within the realm of possibility, if we could get a decent-sized group of people to donate their spare CPU cycles for a few months.

well i know nothing about the Nspire, but i would gladly leave my computer on for a long time to help crack it Otherwise, good luck in doing so, and at least i now know not to go and buy on yet!

Have your own thoughts to add to this or any other topic? Want to ask a question, offer a suggestion, share your own programs and projects, upload a file to the file archives, get help with calculator and computer programming, or simply chat with like-minded coders and tech and calculator enthusiasts via the site-wide AJAX SAX widget? Registration for a free Cemetech account only takes a minute.